File name:	LB3.exe
Full analysis:	https://app.any.run/tasks/a3963e1f-6931-411b-987a-1c77ab808481
Verdict:	Malicious activity
Threats:	LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 09, 2025, 16:00:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware stealer lockbit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	A40BBBDC17F188EB906DC09CB0556BC6
SHA1:	1F582C3BA3157202357D11A5A5EDE3A383D10D79
SHA256:	251297B055AA4DECDAB1A1D8E14EA1331BCBE00974515A647F55B0E0C23E29F5
SSDEEP:	3072:OmhXodguLLDzaJ/A7z7zT73cLLsXd6PbMS8IkUA9QyHVy:2fza6z7z8LXbYrU

.dll	\|	Win32 Dynamic Link Library (generic) (38.3)
.exe	\|	Win32 Executable (generic) (26.2)
.exe	\|	Win16/32 Executable Delphi generic (12)
.exe	\|	Generic Win/DOS Executable (11.6)
.exe	\|	DOS Executable Generic (11.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:09:13 23:30:57+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.12
CodeSize:	99328
InitializedDataSize:	50688
UninitializedDataSize:	-
EntryPoint:	0x1946f
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(7692) dllhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(8028) ShellExperienceHost.exe	Key:	\REGISTRY\A\{a5fa9160-2d57-759e-f46c-7f4d84b5026f}\LocalState
Operation:	write	Name:	PeekBadges
Value: 5B005D000000206A959268A9DB01
(PID) Process:	(3888) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ryNlsace9\OpenWithProgids
Operation:	write	Name:	ryNlsace9
Value:
(PID) Process:	(5864) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ryNlsace9\OpenWithProgids
Operation:	write	Name:	ryNlsace9
Value:
(PID) Process:	(7176) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ryNlsace9\OpenWithProgids
Operation:	write	Name:	ryNlsace9
Value:
(PID) Process:	(7384) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ryNlsace9\OpenWithProgids
Operation:	write	Name:	ryNlsace9
Value:
(PID) Process:	(7404) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ryNlsace9\OpenWithProgids
Operation:	write	Name:	ryNlsace9
Value:
(PID) Process:	(4268) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0

PID	Process	Filename		Type
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\AAAAAAAAAAA		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C
7764	LB3.exe	C:\ryNlsace9.README.txt		text
		MD5:DD746ACE17E44ACE00885B91400F11D5	SHA256:B27C3C8A30FAF7C76483B7E5D964AE85046A9713CAA46508EE7A1E31B7DC6272
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\desktop.ini		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C
7764	LB3.exe	C:\ProgramData\ryNlsace9.ico		image
		MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B	SHA256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\BBBBBBBBBBB		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\LLLLLLLLLLL		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\NNNNNNNNNNN		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\IIIIIIIIIII		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C
7764	LB3.exe	C:\Users\ryNlsace9.README.txt		text
		MD5:DD746ACE17E44ACE00885B91400F11D5	SHA256:B27C3C8A30FAF7C76483B7E5D964AE85046A9713CAA46508EE7A1E31B7DC6272
7764	LB3.exe	C:\$Recycle.Bin\S-1-5-18\EEEEEEEEEEE		binary
		MD5:43745B372AB27C298FBAEA730467F9CD	SHA256:ED1761B348194179DBF7E095ED348061CE128AA24C3B9E721CC181775FBDBA4C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4208	RUXIMICS.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	OPTIONS	204	3.233.129.217:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=UA&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
—	—	GET	200	3.233.129.217:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=UA&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	binary	187 b	whitelisted
—	—	GET	200	92.123.104.33:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	binary	21.3 Kb	whitelisted
—	—	GET	200	92.123.104.29:443	https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init	unknown	html	128 Kb	whitelisted
—	—	GET	200	92.123.104.20:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.47 Kb	whitelisted
—	—	POST	204	92.123.104.14:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	GET	200	92.123.104.26:443	https://www.bing.com/rb/19/cir3,ortl,cc,nc/FgBbpIj0thGWZOh_xFnM9i4O7ek.css?bu=C6QK5QORBfYK3gnICb8HYWFhYQ&or=w	unknown	text	19.8 Kb	whitelisted
—	—	GET	200	69.192.160.136:443	https://geo2.adobe.com/	unknown	text	50 b	whitelisted
—	—	GET	200	92.123.104.29:443	https://www.bing.com/rp/0u2b9EXo8LdXut1MFm4AD0phBuM.br.js	unknown	binary	1.44 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4208	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4208	RUXIMICS.exe	23.216.77.20:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2112	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7576	AcroCEF.exe	69.192.160.136:443	geo2.adobe.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	23.216.77.20 23.216.77.25 23.216.77.22 23.216.77.30	whitelisted
geo2.adobe.com	69.192.160.136	whitelisted
p13n.adobe.io	52.22.41.97 3.219.243.226 3.233.129.217 52.6.155.20	whitelisted
www.bing.com	92.123.104.33 92.123.104.18 92.123.104.13 92.123.104.32 92.123.104.26 92.123.104.24 92.123.104.29 92.123.104.14 92.123.104.20	whitelisted

General Info

LB3.exe

A40BBBDC17F188EB906DC09CB0556BC6

1F582C3BA3157202357D11A5A5EDE3A383D10D79

251297B055AA4DECDAB1A1D8E14EA1331BCBE00974515A647F55B0E0C23E29F5

3072:OmhXodguLLDzaJ/A7z7zT73cLLsXd6PbMS8IkUA9QyHVy:2fza6z7z8LXbYrU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Known privilege escalation attack

Renames files like ransomware

[YARA] LockBit is detected

RANSOMWARE has been detected

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Creates files in the program directory

Manual execution by a user

Reads Microsoft Office registry keys

Creates files or folders in the user directory

Application launched itself

Checks proxy server information

Create files in a temporary directory

Process checks computer location settings

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings